Analysis
-
max time kernel
111s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.AA.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.AA.exe
-
Size
57KB
-
MD5
f946ad52bbf35aa8deb1137f6a2ccf70
-
SHA1
70bc63315f5e6527c7ba20e3d05108406bf192f1
-
SHA256
3008acfa4d08cf30f996e7d62255bc9a93bde87414a444f2ffae56559db3f3ca
-
SHA512
eb13f97cfbb213947c0224c91fc4907cdadbcae8a78db22ac47153bd320fffeee7fbbb805a12c899e75686741db4ecfe51097f43d5898d25a17d7b074ac04352
-
SSDEEP
768:ZCw+IrbL8ky7iPKSHPlcUBjDYorlTpkUrN3+iT3a3oq2Pj/1H56TXdnhg:9nnokyMHX+olFrna3oq2Px8R
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmonoli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigmeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpiqel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Babpgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfldopno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmgmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peoanckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmmdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgbmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giolpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdonndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecpipck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpliec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpkkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahjcqcdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndfclia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfnchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilicgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqlhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcnmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piipibff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akldhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbmoeeod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnfoho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baecgdbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkihe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcooinfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpemkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqgjlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglgnhgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjdkhpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbdib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbmdmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnkdlagc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajkmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnhpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkafofde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlohdhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjebbkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdklje32.exe -
Executes dropped EXE 64 IoCs
pid Process 2732 Dgbiggof.exe 2848 Ddfjak32.exe 2756 Dmaoem32.exe 2928 Dbadcdgp.exe 2640 Dpedmhfi.exe 2240 Epgabhdg.exe 2620 Egbffj32.exe 2264 Ejcohe32.exe 2708 Eckcak32.exe 904 Eapcjo32.exe 1996 Fmfdppia.exe 2248 Fmhaep32.exe 852 Fbeimf32.exe 2960 Fpijgk32.exe 2224 Ffeoid32.exe 2612 Faopib32.exe 2516 Gledgkfn.exe 1536 Glgqlkdl.exe 1468 Gdbeqmag.exe 964 Gohjnf32.exe 1964 Gddbfm32.exe 2360 Gcjogidl.exe 2080 Glbcpokl.exe 2140 Hdilalko.exe 2172 Hgjdcghp.exe 1596 Hjkneb32.exe 2840 Hkljljko.exe 2296 Hllffmbb.exe 2776 Hfdkoc32.exe 2652 Inopce32.exe 3044 Ijfpif32.exe 572 Idnako32.exe 2404 Imifpagp.exe 2388 Iccnmk32.exe 396 Jfdgnf32.exe 2004 Jffddfjk.exe 2736 Jbmdig32.exe 1128 Jigmeagl.exe 2168 Joaebkni.exe 1796 Jkgfgl32.exe 1228 Jccjln32.exe 1724 Kgqcam32.exe 2724 Kmnljc32.exe 1816 Kgcpgl32.exe 692 Lkolmk32.exe 2192 Ledpjdid.exe 2392 Lkahbkgk.exe 2132 Lakqoe32.exe 2900 Lghigl32.exe 2788 Lmbadfdl.exe 2088 Lhgeao32.exe 2904 Liibigjq.exe 2636 Mgmbbkij.exe 2704 Mikooghn.exe 2236 Mebpchmb.exe 1472 Mpgdaqmh.exe 1956 Medligko.exe 1148 Mpjqfpke.exe 364 Mefiog32.exe 1740 Mkcagn32.exe 784 Meiedg32.exe 1084 Mhgbpb32.exe 2492 Noajmlnj.exe 3000 Nekbjf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2428 Backdoor.Win32.Berbew.AA.exe 2428 Backdoor.Win32.Berbew.AA.exe 2732 Dgbiggof.exe 2732 Dgbiggof.exe 2848 Ddfjak32.exe 2848 Ddfjak32.exe 2756 Dmaoem32.exe 2756 Dmaoem32.exe 2928 Dbadcdgp.exe 2928 Dbadcdgp.exe 2640 Dpedmhfi.exe 2640 Dpedmhfi.exe 2240 Epgabhdg.exe 2240 Epgabhdg.exe 2620 Egbffj32.exe 2620 Egbffj32.exe 2264 Ejcohe32.exe 2264 Ejcohe32.exe 2708 Eckcak32.exe 2708 Eckcak32.exe 904 Eapcjo32.exe 904 Eapcjo32.exe 1996 Fmfdppia.exe 1996 Fmfdppia.exe 2248 Fmhaep32.exe 2248 Fmhaep32.exe 852 Fbeimf32.exe 852 Fbeimf32.exe 2960 Fpijgk32.exe 2960 Fpijgk32.exe 2224 Ffeoid32.exe 2224 Ffeoid32.exe 2612 Faopib32.exe 2612 Faopib32.exe 2516 Gledgkfn.exe 2516 Gledgkfn.exe 1536 Glgqlkdl.exe 1536 Glgqlkdl.exe 1468 Gdbeqmag.exe 1468 Gdbeqmag.exe 964 Gohjnf32.exe 964 Gohjnf32.exe 1964 Gddbfm32.exe 1964 Gddbfm32.exe 2360 Gcjogidl.exe 2360 Gcjogidl.exe 2080 Glbcpokl.exe 2080 Glbcpokl.exe 2140 Hdilalko.exe 2140 Hdilalko.exe 2172 Hgjdcghp.exe 2172 Hgjdcghp.exe 1596 Hjkneb32.exe 1596 Hjkneb32.exe 2840 Hkljljko.exe 2840 Hkljljko.exe 2296 Hllffmbb.exe 2296 Hllffmbb.exe 2776 Hfdkoc32.exe 2776 Hfdkoc32.exe 2652 Inopce32.exe 2652 Inopce32.exe 3044 Ijfpif32.exe 3044 Ijfpif32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cljgfj32.exe Process not Found File created C:\Windows\SysWOW64\Dakeak32.dll Hecnblah.exe File created C:\Windows\SysWOW64\Idhifn32.dll Nfbmnpfh.exe File opened for modification C:\Windows\SysWOW64\Pdfifg32.exe Ooianpif.exe File created C:\Windows\SysWOW64\Mmpfihfo.dll Llnhikkb.exe File created C:\Windows\SysWOW64\Ebgbkihn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fkflii32.exe Fpphlp32.exe File created C:\Windows\SysWOW64\Ekacnjfp.exe Edgkap32.exe File created C:\Windows\SysWOW64\Pofmgf32.dll Mnjokphk.exe File created C:\Windows\SysWOW64\Kkcmaqgg.dll Ljmmng32.exe File created C:\Windows\SysWOW64\Nhfkhhnc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dolpiipk.exe Process not Found File created C:\Windows\SysWOW64\Lkiibmmc.dll Ikibkhla.exe File created C:\Windows\SysWOW64\Gplgmodq.exe Gjpodhfi.exe File created C:\Windows\SysWOW64\Odelfqfd.dll Jppbkoaf.exe File created C:\Windows\SysWOW64\Nqpfil32.exe Njfnlahb.exe File created C:\Windows\SysWOW64\Pneihj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Odiagj32.exe Nolhoc32.exe File opened for modification C:\Windows\SysWOW64\Ndfbia32.exe Nknmplji.exe File created C:\Windows\SysWOW64\Ibigeojp.exe Hbgjoo32.exe File created C:\Windows\SysWOW64\Genpkk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mpfmhg32.exe Process not Found File created C:\Windows\SysWOW64\Peaagl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Micnbe32.exe Mdfejn32.exe File created C:\Windows\SysWOW64\Gfafnphf.dll Pofqhdnd.exe File created C:\Windows\SysWOW64\Fgaibb32.exe Fphqehda.exe File created C:\Windows\SysWOW64\Ndmjkmgd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ajnlqgfo.exe Amjkgbhe.exe File created C:\Windows\SysWOW64\Ckhcon32.dll Mmlmmdga.exe File created C:\Windows\SysWOW64\Mmdlqa32.exe Mfkcdgfi.exe File created C:\Windows\SysWOW64\Elhokg32.exe Ebojbaga.exe File created C:\Windows\SysWOW64\Emlbce32.dll Bdddpa32.exe File created C:\Windows\SysWOW64\Hbdmij32.dll Lkolmk32.exe File created C:\Windows\SysWOW64\Kfjhfboi.dll Mefiog32.exe File created C:\Windows\SysWOW64\Pnmaofkf.dll Cpojcpcm.exe File created C:\Windows\SysWOW64\Fjedajfi.dll Oooeeb32.exe File created C:\Windows\SysWOW64\Gnobopip.dll Hpcnmnnh.exe File created C:\Windows\SysWOW64\Incfhh32.exe Ipnigl32.exe File created C:\Windows\SysWOW64\Mggbobde.exe Process not Found File opened for modification C:\Windows\SysWOW64\Epgabhdg.exe Dpedmhfi.exe File created C:\Windows\SysWOW64\Jdipnedn.exe Jkpkepnn.exe File created C:\Windows\SysWOW64\Ahcoli32.exe Qaifoo32.exe File created C:\Windows\SysWOW64\Eljkqfko.exe Eepccldb.exe File created C:\Windows\SysWOW64\Bagmoigk.dll Ijofbnlm.exe File created C:\Windows\SysWOW64\Gmfoacmd.exe Process not Found File created C:\Windows\SysWOW64\Keaeao32.dll Process not Found File created C:\Windows\SysWOW64\Mnpalh32.dll Process not Found File created C:\Windows\SysWOW64\Iigkka32.dll Hbmnfajm.exe File opened for modification C:\Windows\SysWOW64\Dbhppd32.exe Process not Found File created C:\Windows\SysWOW64\Iiaddb32.exe Ipipllec.exe File created C:\Windows\SysWOW64\Ofhiao32.dll Eebpil32.exe File created C:\Windows\SysWOW64\Dfdbpl32.dll Hjjmgo32.exe File created C:\Windows\SysWOW64\Omiboo32.dll Process not Found File created C:\Windows\SysWOW64\Cocpjf32.exe Ciggap32.exe File created C:\Windows\SysWOW64\Nglhghgj.exe Nmccnc32.exe File created C:\Windows\SysWOW64\Ejldfh32.exe Egmhjm32.exe File opened for modification C:\Windows\SysWOW64\Gjpodhfi.exe Gceghn32.exe File created C:\Windows\SysWOW64\Qdqpab32.dll Apcfqd32.exe File created C:\Windows\SysWOW64\Gdoacc32.exe Process not Found File created C:\Windows\SysWOW64\Ojompp32.exe Process not Found File created C:\Windows\SysWOW64\Nqjmec32.exe Ngahmngp.exe File created C:\Windows\SysWOW64\Cqgkkg32.exe Cfagmn32.exe File created C:\Windows\SysWOW64\Bkomjmah.dll Klclom32.exe File opened for modification C:\Windows\SysWOW64\Llhejldh.exe Lodeahen.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqcnjnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqleqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodeahen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcohe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipjbokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjppclkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaigmoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlljiklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjdjghf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocedieek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkbbqjgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqlhbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijhompm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belcck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpajmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqonjmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadkdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koacjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paojeafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnieaoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micnbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impblnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenhfqle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjqlid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdddpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodikecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpnekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glckehfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejnqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poldnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbpml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecaeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Henipenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeegfkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngajeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbeacbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnlid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockhpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojijha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinchq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqhegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmgbpbh.dll" Qfbcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbfahdg.dll" Imkfhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Medggj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idqpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgfpoimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjpipkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febnfe32.dll" Dfaachpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgmmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajkmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgapn32.dll" Cehlbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpgin32.dll" Haiagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcchbk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijahik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkckqpej.dll" Dbjjll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgpmm32.dll" Mhibik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olfkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njfnlahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkqqck32.dll" Aiegpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagbad32.dll" Meolcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmijpkgf.dll" Egmhjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jffddfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pidgnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpblof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgiffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almhmg32.dll" Ngajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbccn32.dll" Enblpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgchd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqjmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdklcebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqninhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cflanc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliqbnep.dll" Bgmjla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcooinfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfbqol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aomghchl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Manlhobe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgibeklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjpihcg.dll" Bichbckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqkmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmdhjf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjklgj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmmpidn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpdihedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkjqkhkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgcjgig.dll" Jjfplfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdbbedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meaiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkngp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmlqg32.dll" Bggohi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffngkd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bickkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogijo32.dll" Lpejnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqnicl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmfnen32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2732 2428 Backdoor.Win32.Berbew.AA.exe 29 PID 2428 wrote to memory of 2732 2428 Backdoor.Win32.Berbew.AA.exe 29 PID 2428 wrote to memory of 2732 2428 Backdoor.Win32.Berbew.AA.exe 29 PID 2428 wrote to memory of 2732 2428 Backdoor.Win32.Berbew.AA.exe 29 PID 2732 wrote to memory of 2848 2732 Dgbiggof.exe 30 PID 2732 wrote to memory of 2848 2732 Dgbiggof.exe 30 PID 2732 wrote to memory of 2848 2732 Dgbiggof.exe 30 PID 2732 wrote to memory of 2848 2732 Dgbiggof.exe 30 PID 2848 wrote to memory of 2756 2848 Ddfjak32.exe 31 PID 2848 wrote to memory of 2756 2848 Ddfjak32.exe 31 PID 2848 wrote to memory of 2756 2848 Ddfjak32.exe 31 PID 2848 wrote to memory of 2756 2848 Ddfjak32.exe 31 PID 2756 wrote to memory of 2928 2756 Dmaoem32.exe 32 PID 2756 wrote to memory of 2928 2756 Dmaoem32.exe 32 PID 2756 wrote to memory of 2928 2756 Dmaoem32.exe 32 PID 2756 wrote to memory of 2928 2756 Dmaoem32.exe 32 PID 2928 wrote to memory of 2640 2928 Dbadcdgp.exe 33 PID 2928 wrote to memory of 2640 2928 Dbadcdgp.exe 33 PID 2928 wrote to memory of 2640 2928 Dbadcdgp.exe 33 PID 2928 wrote to memory of 2640 2928 Dbadcdgp.exe 33 PID 2640 wrote to memory of 2240 2640 Dpedmhfi.exe 34 PID 2640 wrote to memory of 2240 2640 Dpedmhfi.exe 34 PID 2640 wrote to memory of 2240 2640 Dpedmhfi.exe 34 PID 2640 wrote to memory of 2240 2640 Dpedmhfi.exe 34 PID 2240 wrote to memory of 2620 2240 Epgabhdg.exe 35 PID 2240 wrote to memory of 2620 2240 Epgabhdg.exe 35 PID 2240 wrote to memory of 2620 2240 Epgabhdg.exe 35 PID 2240 wrote to memory of 2620 2240 Epgabhdg.exe 35 PID 2620 wrote to memory of 2264 2620 Egbffj32.exe 36 PID 2620 wrote to memory of 2264 2620 Egbffj32.exe 36 PID 2620 wrote to memory of 2264 2620 Egbffj32.exe 36 PID 2620 wrote to memory of 2264 2620 Egbffj32.exe 36 PID 2264 wrote to memory of 2708 2264 Ejcohe32.exe 37 PID 2264 wrote to memory of 2708 2264 Ejcohe32.exe 37 PID 2264 wrote to memory of 2708 2264 Ejcohe32.exe 37 PID 2264 wrote to memory of 2708 2264 Ejcohe32.exe 37 PID 2708 wrote to memory of 904 2708 Eckcak32.exe 38 PID 2708 wrote to memory of 904 2708 Eckcak32.exe 38 PID 2708 wrote to memory of 904 2708 Eckcak32.exe 38 PID 2708 wrote to memory of 904 2708 Eckcak32.exe 38 PID 904 wrote to memory of 1996 904 Eapcjo32.exe 39 PID 904 wrote to memory of 1996 904 Eapcjo32.exe 39 PID 904 wrote to memory of 1996 904 Eapcjo32.exe 39 PID 904 wrote to memory of 1996 904 Eapcjo32.exe 39 PID 1996 wrote to memory of 2248 1996 Fmfdppia.exe 40 PID 1996 wrote to memory of 2248 1996 Fmfdppia.exe 40 PID 1996 wrote to memory of 2248 1996 Fmfdppia.exe 40 PID 1996 wrote to memory of 2248 1996 Fmfdppia.exe 40 PID 2248 wrote to memory of 852 2248 Fmhaep32.exe 41 PID 2248 wrote to memory of 852 2248 Fmhaep32.exe 41 PID 2248 wrote to memory of 852 2248 Fmhaep32.exe 41 PID 2248 wrote to memory of 852 2248 Fmhaep32.exe 41 PID 852 wrote to memory of 2960 852 Fbeimf32.exe 42 PID 852 wrote to memory of 2960 852 Fbeimf32.exe 42 PID 852 wrote to memory of 2960 852 Fbeimf32.exe 42 PID 852 wrote to memory of 2960 852 Fbeimf32.exe 42 PID 2960 wrote to memory of 2224 2960 Fpijgk32.exe 43 PID 2960 wrote to memory of 2224 2960 Fpijgk32.exe 43 PID 2960 wrote to memory of 2224 2960 Fpijgk32.exe 43 PID 2960 wrote to memory of 2224 2960 Fpijgk32.exe 43 PID 2224 wrote to memory of 2612 2224 Ffeoid32.exe 44 PID 2224 wrote to memory of 2612 2224 Ffeoid32.exe 44 PID 2224 wrote to memory of 2612 2224 Ffeoid32.exe 44 PID 2224 wrote to memory of 2612 2224 Ffeoid32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Dgbiggof.exeC:\Windows\system32\Dgbiggof.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Ddfjak32.exeC:\Windows\system32\Ddfjak32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Dmaoem32.exeC:\Windows\system32\Dmaoem32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Dbadcdgp.exeC:\Windows\system32\Dbadcdgp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Dpedmhfi.exeC:\Windows\system32\Dpedmhfi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Egbffj32.exeC:\Windows\system32\Egbffj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ejcohe32.exeC:\Windows\system32\Ejcohe32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Eapcjo32.exeC:\Windows\system32\Eapcjo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Fmfdppia.exeC:\Windows\system32\Fmfdppia.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Fmhaep32.exeC:\Windows\system32\Fmhaep32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Fbeimf32.exeC:\Windows\system32\Fbeimf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Faopib32.exeC:\Windows\system32\Faopib32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Gledgkfn.exeC:\Windows\system32\Gledgkfn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Glgqlkdl.exeC:\Windows\system32\Glgqlkdl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Gohjnf32.exeC:\Windows\system32\Gohjnf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Gddbfm32.exeC:\Windows\system32\Gddbfm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Gcjogidl.exeC:\Windows\system32\Gcjogidl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Glbcpokl.exeC:\Windows\system32\Glbcpokl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Hdilalko.exeC:\Windows\system32\Hdilalko.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Hgjdcghp.exeC:\Windows\system32\Hgjdcghp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Hjkneb32.exeC:\Windows\system32\Hjkneb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Hkljljko.exeC:\Windows\system32\Hkljljko.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Hllffmbb.exeC:\Windows\system32\Hllffmbb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Inopce32.exeC:\Windows\system32\Inopce32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Ijfpif32.exeC:\Windows\system32\Ijfpif32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Idnako32.exeC:\Windows\system32\Idnako32.exe33⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Imifpagp.exeC:\Windows\system32\Imifpagp.exe34⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Iccnmk32.exeC:\Windows\system32\Iccnmk32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Jfdgnf32.exeC:\Windows\system32\Jfdgnf32.exe36⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Jffddfjk.exeC:\Windows\system32\Jffddfjk.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe38⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Jigmeagl.exeC:\Windows\system32\Jigmeagl.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Joaebkni.exeC:\Windows\system32\Joaebkni.exe40⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jkgfgl32.exeC:\Windows\system32\Jkgfgl32.exe41⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe42⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Kgqcam32.exeC:\Windows\system32\Kgqcam32.exe43⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Kmnljc32.exeC:\Windows\system32\Kmnljc32.exe44⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Kgcpgl32.exeC:\Windows\system32\Kgcpgl32.exe45⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Lkolmk32.exeC:\Windows\system32\Lkolmk32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe47⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe48⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Lakqoe32.exeC:\Windows\system32\Lakqoe32.exe49⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Lghigl32.exeC:\Windows\system32\Lghigl32.exe50⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Lmbadfdl.exeC:\Windows\system32\Lmbadfdl.exe51⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Lhgeao32.exeC:\Windows\system32\Lhgeao32.exe52⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Liibigjq.exeC:\Windows\system32\Liibigjq.exe53⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Mgmbbkij.exeC:\Windows\system32\Mgmbbkij.exe54⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Mikooghn.exeC:\Windows\system32\Mikooghn.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Mebpchmb.exeC:\Windows\system32\Mebpchmb.exe56⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe57⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Medligko.exeC:\Windows\system32\Medligko.exe58⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Mpjqfpke.exeC:\Windows\system32\Mpjqfpke.exe59⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Mefiog32.exeC:\Windows\system32\Mefiog32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:364 -
C:\Windows\SysWOW64\Mkcagn32.exeC:\Windows\system32\Mkcagn32.exe61⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Meiedg32.exeC:\Windows\system32\Meiedg32.exe62⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Mhgbpb32.exeC:\Windows\system32\Mhgbpb32.exe63⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Noajmlnj.exeC:\Windows\system32\Noajmlnj.exe64⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Nekbjf32.exeC:\Windows\system32\Nekbjf32.exe65⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Nocgbl32.exeC:\Windows\system32\Nocgbl32.exe66⤵PID:1988
-
C:\Windows\SysWOW64\Ndqokc32.exeC:\Windows\system32\Ndqokc32.exe67⤵PID:1420
-
C:\Windows\SysWOW64\Nadpdg32.exeC:\Windows\system32\Nadpdg32.exe68⤵PID:652
-
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe69⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe70⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe71⤵PID:2968
-
C:\Windows\SysWOW64\Noojfpbi.exeC:\Windows\system32\Noojfpbi.exe72⤵PID:1356
-
C:\Windows\SysWOW64\Ojdndi32.exeC:\Windows\system32\Ojdndi32.exe73⤵PID:884
-
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe74⤵PID:548
-
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe75⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Ooccap32.exeC:\Windows\system32\Ooccap32.exe76⤵PID:2972
-
C:\Windows\SysWOW64\Odpljf32.exeC:\Windows\system32\Odpljf32.exe77⤵PID:3040
-
C:\Windows\SysWOW64\Obdlcjkd.exeC:\Windows\system32\Obdlcjkd.exe78⤵PID:1444
-
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe79⤵PID:1404
-
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe80⤵PID:1680
-
C:\Windows\SysWOW64\Ogcaaahi.exeC:\Windows\system32\Ogcaaahi.exe81⤵PID:2532
-
C:\Windows\SysWOW64\Pnminkof.exeC:\Windows\system32\Pnminkof.exe82⤵PID:1244
-
C:\Windows\SysWOW64\Pcjbfbmm.exeC:\Windows\system32\Pcjbfbmm.exe83⤵PID:928
-
C:\Windows\SysWOW64\Pjdjbl32.exeC:\Windows\system32\Pjdjbl32.exe84⤵PID:2116
-
C:\Windows\SysWOW64\Panboflg.exeC:\Windows\system32\Panboflg.exe85⤵PID:2332
-
C:\Windows\SysWOW64\Pfkkhmjn.exeC:\Windows\system32\Pfkkhmjn.exe86⤵PID:2872
-
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe87⤵PID:2780
-
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe89⤵PID:1696
-
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe90⤵PID:960
-
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe91⤵PID:2940
-
C:\Windows\SysWOW64\Pccelqeb.exeC:\Windows\system32\Pccelqeb.exe92⤵PID:1124
-
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe93⤵PID:2468
-
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe94⤵PID:696
-
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe95⤵PID:2276
-
C:\Windows\SysWOW64\Aiegpg32.exeC:\Windows\system32\Aiegpg32.exe96⤵
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe97⤵PID:1936
-
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe98⤵PID:2024
-
C:\Windows\SysWOW64\Ahjcqcdm.exeC:\Windows\system32\Ahjcqcdm.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Aendjh32.exeC:\Windows\system32\Aendjh32.exe100⤵PID:2880
-
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe102⤵PID:3048
-
C:\Windows\SysWOW64\Afamgpga.exeC:\Windows\system32\Afamgpga.exe103⤵PID:2372
-
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe104⤵PID:2044
-
C:\Windows\SysWOW64\Adenqd32.exeC:\Windows\system32\Adenqd32.exe105⤵PID:1132
-
C:\Windows\SysWOW64\Aibfik32.exeC:\Windows\system32\Aibfik32.exe106⤵PID:2228
-
C:\Windows\SysWOW64\Bplofekp.exeC:\Windows\system32\Bplofekp.exe107⤵PID:2540
-
C:\Windows\SysWOW64\Beignlig.exeC:\Windows\system32\Beignlig.exe108⤵PID:2908
-
C:\Windows\SysWOW64\Bpokkdim.exeC:\Windows\system32\Bpokkdim.exe109⤵PID:1968
-
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe111⤵PID:564
-
C:\Windows\SysWOW64\Benpik32.exeC:\Windows\system32\Benpik32.exe112⤵PID:2744
-
C:\Windows\SysWOW64\Bofebqlb.exeC:\Windows\system32\Bofebqlb.exe113⤵PID:1208
-
C:\Windows\SysWOW64\Bljeke32.exeC:\Windows\system32\Bljeke32.exe114⤵PID:2672
-
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe115⤵PID:1168
-
C:\Windows\SysWOW64\Coknmp32.exeC:\Windows\system32\Coknmp32.exe116⤵PID:236
-
C:\Windows\SysWOW64\Cdhgegfd.exeC:\Windows\system32\Cdhgegfd.exe117⤵PID:2464
-
C:\Windows\SysWOW64\Cjdonndl.exeC:\Windows\system32\Cjdonndl.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Ccmcfc32.exeC:\Windows\system32\Ccmcfc32.exe119⤵PID:1748
-
C:\Windows\SysWOW64\Cjglcmbi.exeC:\Windows\system32\Cjglcmbi.exe120⤵PID:2432
-
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe121⤵PID:2824
-
C:\Windows\SysWOW64\Cjiiim32.exeC:\Windows\system32\Cjiiim32.exe122⤵PID:2760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-